Installing Tekton Operator
To configure images from a custom registry, follow the Air Gap Configuration guide.
-
Install operator
$ kubectl apply -f https://infra.tekton.dev/tekton-releases/operator/latest/release.yamlNote: This will also install pipelines, triggers, chains, and dashboard
-
In case you want to install other components, use available installation profiles:
lite,all,basicWhere
Platform Profile Installed Component Kubernetes, OpenShift lite Pipeline Kubernetes, OpenShift basic Pipeline, Trigger, Chains Kubernetes all Pipeline, Trigger, Chains, Dashboard OpenShift all Pipeline, Trigger, Chains, Pipelines as Code, Addons To install pipelines, triggers, chains and dashboard (use profile ‘all’)
$ kubectl apply -f https://raw.githubusercontent.com/tektoncd/operator/main/config/crs/kubernetes/config/all/operator_v1alpha1_config_cr.yaml
Platform notes
OpenShift: do not run pipelines in the default namespace
On OpenShift, the default namespace is classified as a “highly privileged” system namespace. Pod Security Admission (PSA) label synchronization is permanently disabled there by the platform, so even though the operator correctly creates the pipeline ServiceAccount and RBAC bindings in default, PipelineRuns submitted to that namespace fail with permissionDenied errors: PSA enforces the restricted profile and the SCC-to-PSA label sync never runs.
User-created namespaces are not affected because the Cluster Policy Controller automatically syncs SCC privileges into PSA labels. The OpenShift documentation has the same guidance (Do not run workloads in or share access to default projects).
Run pipelines in a dedicated namespace instead of default on OpenShift. See tektoncd/operator#3427 for the original report.
Feedback
Was this page helpful?